Last updated: March 2026
GemJam is an inventory management platform built for UK dealers of unique items, including jewellery, watches, antiques, and luxury goods. GemJam is operated by GemJam Ltd, a company registered in England and Wales.
For the purposes of UK data protection law, GemJam Ltd is the data controller for the personal data we collect about you (such as your account details, contact information, and how you use our website). When you store business data in GemJam (such as your inventory, transactions, and contacts), we act as a data processor on your behalf.
If you have any questions about this policy or how we handle your data, you can contact us at:
We collect different types of personal data depending on how you interact with GemJam:
When you create an account, we collect your name, email address, and password (managed securely by our authentication provider). If you add a profile picture, we store that too.
When you set up your organisation in GemJam, we collect your business name and any organisation settings you configure.
This includes your inventory records, purchase and sale transactions, contact details for your suppliers and customers, item images, and any other data you enter into the platform. You are the controller of this data — we process it on your behalf to provide the service.
We use Stripe as our payment processor. Stripe collects your payment details (such as card number and billing address) directly. We do not see or store your full payment card details. We receive limited billing information from Stripe, such as your name, email, and transaction history, to manage your subscription.
When you use GemJam, we automatically collect technical information including your IP address (which is discarded by our analytics provider and not stored — see section 10), browser type, device information, pages you visit, and how you interact with the platform. This helps us improve the service and diagnose issues.
We use cookies and similar technologies. See section 10 for full details.
Under UK GDPR, we must have a lawful basis for processing your personal data. Here is what we use your data for and why we are allowed to:
| Purpose | Lawful basis |
|---|---|
| Providing the GemJam service (hosting your inventory, processing transactions, managing your account) | Contract — necessary to deliver the service you signed up for |
| Processing payments and managing your subscription | Contract — necessary to fulfil our agreement with you |
| Sending you important service communications (e.g. changes to your account, security alerts, billing notifications) | Contract — necessary to keep you informed about the service |
| Improving the platform, fixing bugs, and analysing how features are used | Legitimate interests — to improve and develop our service |
| Protecting against fraud, abuse, and security threats | Legitimate interests — to keep our platform and users safe |
| Sending you marketing communications about GemJam (only with your permission) | Consent — you can withdraw this at any time |
| Complying with tax, legal, and regulatory obligations | Legal obligation — required by UK law |
We use your personal data to:
We do not sell your personal data to anyone. We do not use your data for automated decision-making or profiling.
We share your data with a limited number of trusted third-party service providers who help us run GemJam. Each provider only receives the data they need for their specific purpose, and we have data processing agreements in place with each of them.
| Service | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication and user account management | Name, email address, profile picture, session data, IP address |
| Stripe | Payment processing, subscription management, and billing | Name, email, billing address, payment details (Stripe processes payments on our behalf and does not share your card details with us) |
| Neon | Database hosting (PostgreSQL) | All data stored in GemJam (inventory, transactions, contacts, account data) |
| Vercel | Application hosting, serverless functions, and content delivery | IP address, browser information, request data (processed ephemerally for serving the application) |
| ImageKit | Image storage and delivery (CDN) for item photographs | Item images you upload, delivery logs (IP addresses) |
| PostHog | Product analytics, error monitoring, and session replay | Pseudonymised usage data (page views, feature interactions, client-side errors), session recordings with all form inputs automatically masked and additional sensitive content (financial data, personal details) masked where developers have applied data attributes. No direct identifiers (e.g. email, name) are sent to PostHog; pseudonymous identifiers and usage data may still constitute personal data under UK GDPR. IP addresses are discarded at ingestion and are not stored. You can opt out via Settings > Preferences > Privacy |
We may also share your data if we are required to by law, regulation, or legal process (for example, in response to a court order or request from HMRC).
If GemJam is acquired by or merged with another company, your data may be transferred as part of that transaction. We would notify you before your data is transferred and becomes subject to a different privacy policy.
Some of our service providers process data outside the United Kingdom. We ensure that appropriate safeguards are in place for all international transfers of personal data, as required by UK GDPR.
Here is where your data may be processed:
| Service | Location | Safeguard |
|---|---|---|
| Neon (database) | AWS Europe West 2 (London, United Kingdom) | UK data residency; DPA in place |
| Clerk (authentication) | United States (Google Cloud) | UK Extension to the EU-US Data Privacy Framework; DPA in place |
| Stripe (payments) | United Kingdom, United States | UK entity (Stripe Payments UK Ltd); DPA in place |
| Vercel (hosting) | United States (primary); global edge network for content delivery | UK Extension to the EU-US Data Privacy Framework; DPA in place |
| ImageKit (images) | AWS — configurable region (Europe available) | EU-US Data Privacy Framework (UK Extension); DPA available |
| PostHog (analytics) | European Union (Frankfurt, Germany) | EU data residency; DPA in place |
Where data is transferred to the United States, our providers are certified under the EU-US Data Privacy Framework with the UK Extension (also known as the UK-US Data Bridge), which has been recognised by the UK government as providing adequate protection for personal data.
We keep your data for as long as necessary for the purposes described in this policy. Here are the specific retention periods:
| Data type | How long we keep it |
|---|---|
| Account data | For the duration of your account, plus 30 days after deletion to allow for recovery |
| Business data (inventory, transactions, contacts) | For the duration of your account. Deleted within 90 days of account closure |
| Item images | For the duration of your account. Deleted from our image storage provider within 90 days of account closure |
| Billing and payment records | 7 years after the end of your subscription (as required by UK tax law) |
| Usage and technical logs | Up to 12 months, then automatically deleted |
| Support communications | For the duration of your account, plus 2 years after account closure |
When you cancel your account, we use a soft-delete approach. Your data is marked as deleted and becomes inaccessible, but is retained briefly in case you change your mind. After the retention period, your data is permanently and irreversibly deleted from our systems and those of our processors.
Under UK data protection law, you have the following rights over your personal data:
To make a request, email us at privacy@gemjam.app. We will respond within one month. If your request is complex, we may extend this by up to two further months, but we will let you know within the first month.
There is no fee for making a request. We may ask you to verify your identity before processing your request.
If you are unhappy with how we have handled your data, we encourage you to contact us first at privacy@gemjam.app so we can try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection regulator:
We take the security of your data seriously and use appropriate technical and organisational measures to protect it. These include:
No system is completely secure. If we become aware of a data breach that affects your personal data, we will notify you and the ICO as required by law.
Cookies are small text files stored on your device when you visit a website. We use cookies for the following purposes:
These are necessary for GemJam to work. They include cookies for authentication (keeping you signed in) and security. You cannot opt out of these cookies as the service would not function without them.
| Cookie | Provider | Purpose |
|---|---|---|
| Session cookies | Clerk | Keep you signed in and manage your authentication session |
| Security cookies | Clerk / Vercel | Protect against cross-site request forgery and other security threats |
We use PostHog, a product analytics platform hosted in the European Union, to understand how our features are used and to diagnose errors. PostHog sets cookies to distinguish between users across sessions and to support session replay. These cookies are first-party (set on our domain) and do not track you across other websites.
| Cookie | Provider | Purpose | Expiry |
|---|---|---|---|
ph_phc_*_posthog | PostHog | Stores a pseudonymous device identifier and session ID for analytics. Most analytics data (session replay configuration, feature flags) is kept in your browser’s localStorage, not in this cookie | 1 year |
__ph_opt_in_out_<token> | PostHog | Records your analytics opt-out preference (set when you disable analytics in Settings) | 1 year |
PostHog analytics data is processed on our behalf under a data processing agreement.
Session recordings automatically mask all form inputs. Other sensitive content
(financial data, personal details) is masked or blocked where our developers have
applied privacy attributes (data-ph-mask, data-ph-block). No direct identifiers (such as your email
or name) are included in the analytics data we send to PostHog; pseudonymous identifiers
and usage data may still constitute personal data under UK GDPR. IP addresses are
discarded at ingestion and are not stored.
Consent and lawful basis: In accordance with the Privacy and Electronic Communications Regulations (PECR), we do not set analytics cookies on your device until you have signed in and have not opted out of analytics. When you first visit GemJam, our analytics service runs in memory only — no cookies or other data are stored on your device. Analytics cookies are only placed after you sign in, at which point your analytics preference is known. The underlying data processing is carried out under our legitimate interest in understanding how GemJam is used and diagnosing errors (see section 3). Before you sign in, pseudonymous analytics events (such as page views and errors) may still be sent to our analytics provider for error monitoring, but no data is stored on your device and IP addresses are discarded at ingestion.
Opting out: You can disable analytics at any time by going to Settings > Preferences > Privacy within GemJam. When you opt out, client-side analytics collection stops immediately, analytics cookies are removed from your device, and no new cookies will be set. A small number of server-side operational events with pseudonymised identifiers (and no direct identifiers such as name or email) may still be recorded. You can also block analytics cookies through your browser settings.
You can control cookies through your browser settings. Please note that disabling essential cookies may prevent you from using GemJam.
GemJam is a business-to-business service designed for trade professionals. It is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@gemjam.app and we will delete it.
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the “last updated” date at the top of this page.
For significant changes that affect how we process your personal data, we will notify you by email or through a notice in the GemJam application before the changes take effect.
If you have any questions about this privacy policy or how we handle your data, please get in touch: